Widespread HIPAA Violations Lead to $36 Million in Fines, Settlements

Since 2003, the Office for Civil Rights (OCR) has settled HIPAA violations to the tune of $36 million, with the two most recent settlements coming from Oregon Health & Science University and the University of Mississippi Medical Center.

HIPAA protections are granted by three separate, yet related, rules. The first one, the HIPAA Privacy Rule, is a set of Federal standards to protect the privacy of medical records, and was released on April 14, 2003.

The HIPAA Security Rule establishes national standards for the security of electronic health information across administrative, technical, and physical safeguards. This rule was released on April 20, 2005.

The third rule, the HIPAA Breach Notification Rule, requires entities to notify the OCR regarding breaches of health information as of Sept. 23, 2009.

Since the first rule was enacted in April 2003, OCR has received more than 134,246 HIPAA complaints–and resolved 96% of these cases. A few ways these cases have been settled include:

Two of the most recent HIPAA settlements came from the Oregon Health & Science University (OHSU) and the University of Mississippi Medical Center (UMMC).

OHSU agreed to settle violations of the HIPAA Privacy and Security Rules through a three-year corrective action plan and a $2.7 million payment to the Department of Health and Human Services. The university submitted multiple breach reports involving unencrypted laptops and thumb drives, and the investigation uncovered widespread issues within the university’s HIPAA compliance program. In addition, the university lacked established, widespread policies to prevent, detect, and correct security violations.

UMMC settled with HHS for $2.75 million following an electronic public health information (ePHI) breach affecting 10,000 individuals. During the investigation, OCR found that UMMC was aware of its system vulnerabilities in April 2005, yet made no move to fix the systems until after the breach.

“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” said Jocelyn Samuels, director of OCR. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”